Implementing PassTickets for secure sign-on

Using PassTickets in place of passwords removes the need for applications to store passwords (or ask users to re-enter them) in the sign-on process and consequently the need to transmit passwords across the network. If you want to implementing PassTickets for secure sign-on in your CICS environment, follow this procedure.

In this documentation, the originating system refers to the system where a PassTicket is generated, and the destination system refers to the system that the signed-on user ID attempts to access with the PassTicket and where the PassTicket is authenticated.

Before you begin

To implement PassTickets, the systems involved must meet the following requirements:
  • The PassTicket generation and validation algorithm means that the system that generates the PassTicket and the system that authenticates it must both use a level of the external security manager that supports PassTickets.
  • End users must use the same user ID in the destination system as the one that they use in the originating system.
  • Because PassTickets are time-stamped, the system clocks for the destination system and the originating system must be synchronized to within the valid time range. A PassTicket is considered to be within the valid time range when the time of generation, with respect to the clock on the generating computer, is within plus or minus 10 minutes of the time of evaluation, with respect to the clock on the evaluating computer. For more information about system time differences and synchronization, see Using the secured signon function in z/OS Security Server RACF Security Administrator's Guide.

Procedure

Note: The following procedure assumes that RACF® is the external security manager used in the implementation. Users of other external security managers should refer to the documentation for their product.
Define Secure Sign-on keys:

To process PassTickets, the external security manager uses Secure Sign-on keys that are shared by the originating and destination systems. You must define a Secure Sign-on key for each destination system. For information about how to do this with RACF by defining profiles in the PTKTDATA resource class, see Using the secured signon function in z/OS Security Server RACF Security Administrator's Guide.

Define RACF profiles:
To allow an originating system to generate a PassTicket:
Note: It is strongly recommended to limit PassTicket generation to only those regions that require it. The regions should be set with the system initialization parameter XPTKT=YES (the default).
Profile for users on a specific originating region:
RDEFINE PTKTDATA IRRPTAUTH.applid.* UACC(NONE)
PERMIT IRRPTAUTH.applid.* CLASS(PTKTDATA) ID(user) ACCESS(UPDATE)

applid is the generic applid of the originating region.

user is the user or group of users allowed to generate PassTickets on this region.

To allow a destination region to accept a PassTicket:
RDEF PTKTDATA applid SSIGNON(KEYMASKED(key)) UACC(NONE)

applid is the generic applid of the destination region.

If RACLIST is used on PTKTDATA, refresh the definitions:
Issue SETR RACLIST(PTKTDATA) REFRESH.